From 466f470265554e0e3ae27a6d82375456d2c133e6 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Thu, 22 Jul 2021 15:32:12 +0200 Subject: [PATCH 3/4] replace potentially harmful backslashes with forward slashes when validating redirection URLs (cherry picked from commit 69cb206225c749b51db980d44dc268eee5623f2b) --- src/mod_auth_openidc.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 68fbca5..c96af75 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -2687,12 +2687,22 @@ static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c, return HTTP_MOVED_TEMPORARILY; } + +#define OIDC_MAX_URL_LENGTH DEFAULT_LIMIT_REQUEST_LINE * 2 + static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c, - const char *url, apr_byte_t restrict_to_host, char **err_str, + const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str, char **err_desc) { apr_uri_t uri; const char *c_host = NULL; apr_hash_index_t *hi = NULL; + size_t i = 0; + char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH); + + // replace potentially harmful backslashes with forward slashes + for (i = 0; i < strlen(url); i++) + if (url[i] == '\\') + url[i] = '/'; if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { *err_str = apr_pstrdup(r->pool, "Malformed URL"); -- 2.31.1